just another infosec blog

Forensics approach to handling vulnerability scanner results

I was scratching my head this week as I ventured deeper into the world of vulnerability scanners. Not actually the scanners themselves, but rather the process of handling the process surrounding them. I.e. validating results. Finding no proper methodologies on the Net, I set out penning my own based on one of my older methods and some ideas mildly influenced by several bad movies and television shows, and a dash of IRL crime scene methodologies.

The Method

The method is a high level overview of the process of validating vulnerabilities found using vulnerability scanners. As you might now, most vulnerability scanners offers an easy to use GUI. With a click of a button you got your network vulnerabilities mapped out. It appears to me that companies producing these scanners put a lot of effort in making these tools easy to use, but skip to tell customers how to approach validating the vulnerabilities. My method addresses just that – how to approach determining if the vulnerability is real or not. This without getting caught in details about tools to use and how to use them. I’m going to save that for a future post.

The basis of my method is to treat the report as a crime scene. When approaching a crime scene, there are some rules to follow. Why such rules? Well – by running head into a situation you might miss crucial clues that would have made your job way more easier. By following this method you could easily weed out false positives at an early stage, thus reducing your work in latter stages.

Please bear in mind, I wrote this piece having newbies in mind. If you got some experience, you might be able to handle vulnerabilities in any step described.

The 5 Step handling the “crime scene”

Get the first report

Observe the surroundings

Clinical view of the crime scene

Find evidence

Report the conclusion

Step 1 – Get the first report

When a vulnerability scanner has done its magic, it’ll generate a report on what it has found. Due to the nature of vulnerability scanners, these reports tend to include lots of false positives. Think of it as Hercule Poirot reporting on everything he sees, just to be sure he hasn’t missed anything. A vulnerability scanner is just a piece of dumb software, doing exactly that. Nevertheless, we need this report for further investigation. to understand the crime scene. So grab the report in whatever format you need and move on.

Step 2 – Observe

Once we get the report we must start getting acquainted with it. This is the step where we skim through the report to get an overview of the crime scene. In this step we are not trying to understand the findings or why they were found. We are just interested in the high level overview to get the big picture.

Step 3 – Clinical view of the crime scene

After been observing and getting the big picture, we dive into the matter. It’s time to actually look at each finding. Note we LOOK at the findings without analysing and understanding it. We read and re-read the vulnerability details to understand what we are dealing with and to draw a workflow for further analysis.

Note: Most often you’ll see that vulnerabilities follow a specific pattern from this step. Mostly, talking from experience, vulnerabilities seems to exist because of outdated software or bad configurations, and that this can be found on any targets. See – by finding this pattern you’ve just reduced the workload on yourself in later steps since you most likely don’t need to confirm every target! More so, it may be an indicator that the same person set up all the targets in similar way.

Step 4 – Find evidence

Great! We now got a workflow and fair grip of how the target(s) are laid out – technology wise. It’s time to confirm the leftover vulnerabilities by bringing out some heavy artillery. Our artillery consists mainly of Kali Linux and its tools, and some tools we’ve made ourself. In this step we apply various tools to find out if the target(s) are vulnerable to any of the reported vulnerabilities. It’s important to stress that we are NOT going to exploit the target(s).

Step 5 – Report

Based on the outcome of step 4, we put our findings in a final report and hand it over to the customer, together with a high level description of the situation.. As said on several crime shows: we bag and tag it.